UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

HTTP Headers Checker

Inspect response status and headers from public HTTPS origins

About HTTP Headers Checker

HTTP Headers Checker on UtilityKit fetches and displays the complete HTTP response headers for any public URL, showing the status code, timing, redirect hops, and every header the server returns — without needing browser DevTools, curl, or Postman. Browsers cannot read response headers from cross-origin requests due to CORS restrictions, making client-side header inspection impossible without a server proxy. This tool routes the request through the UtilityKit backend, which performs a server-side HEAD request (with GET fallback) against the target URL, follows redirects transparently, and returns the full header set as a sorted, human-readable text block alongside the final resolved URL, HTTP status, response time in milliseconds, and hop count. Security headers like Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy are.

Why use HTTP Headers Checker

Bypasses CORS Restrictions

Browsers block JavaScript from reading cross-origin response headers. The server-side proxy returns the complete header set that your browser-based DevTools network tab cannot directly expose for cross-origin requests.

Security Header Audit

Immediately surface the presence or absence of OWASP-recommended security headers — HSTS, CSP, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy — without running a dedicated scanner.

Redirect Chain Visibility

The final URL and hop count expose unnecessary redirect chains — double HTTP-to-HTTPS hops, www-to-non-www redirects, and temporary-to-permanent redirect cascades that add latency for every visitor.

Cache Header Diagnosis

Inspect Cache-Control, ETag, Last-Modified, Vary, and CDN-specific headers to verify caching policy is configured as intended and long-TTL immutable assets are marked correctly.

Response Time Measurement

The millisecond response time shown is the server-side round-trip from the UtilityKit backend to the target URL — a useful baseline for comparing API endpoint performance or detecting degraded backends.

No Tool Installation

Replaces a curl -I command or Postman request for quick header checks on any device with a browser. No local tool configuration, no authentication setup, no command memorization required.

How to use HTTP Headers Checker

  1. Paste the full URL you want to inspect into the input field, including the scheme — for example, https://example.com or https://api.example.com/health. The URL must be public and accessible from the internet.
  2. Click Fetch. The UtilityKit backend sends an HTTP HEAD request (falling back to GET if HEAD returns no headers) to the target URL and follows any redirects.
  3. Review the result block. The first three lines show the final resolved URL after all redirects, the HTTP status code and reason phrase, and the round-trip response time and redirect hop count.
  4. Scroll through the alphabetically sorted header list below the summary. Each line shows the header name followed by its value.
  5. Check for critical security headers: look for Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy. Missing headers are surfaced by their absence in the list.
  6. Copy the entire output block for inclusion in security audit reports, CDN troubleshooting documentation, or incident post-mortems.

When to use HTTP Headers Checker

  • When auditing a site for security header compliance and you need to quickly verify whether HSTS, CSP, and X-Content-Type-Options are present before a penetration test or compliance review.
  • When debugging a CDN caching issue — check whether Cache-Control returns public max-age=31536000 for static assets or no-store for dynamic API responses as configured.
  • When troubleshooting a redirect loop or unexpected redirect chain — the hop count and final URL reveal whether a URL resolves cleanly or bounces through unnecessary intermediate hops.
  • When verifying a Content-Security-Policy header after deployment to confirm the policy string matches the intended configuration and no syntax errors caused it to be silently dropped.
  • When checking a third-party API or SaaS endpoint's response characteristics — server type, rate-limit headers, authentication challenge headers — without writing code to inspect them.
  • When running a pre-launch checklist and confirming that the production server returns the correct headers for hashed CSS bundles (immutable), HTML pages (short revalidation), and API routes (no-cache).

Examples

Security header audit of a production site

Input: URL: https://example.com

Output: Final URL: https://example.com/ HTTP 200 OK Time: 187 ms · Hops: 1 cache-control: max-age=3600, public content-encoding: gzip content-security-policy: default-src 'self'; script-src 'self' 'nonce-abc123' content-type: text/html; charset=utf-8 referrer-policy: strict-origin-when-cross-origin server: nginx strict-transport-security: max-age=31536000; includeSubDomains; preload x-content-type-options: nosniff x-frame-options: DENY

CDN asset with immutable cache headers

Input: URL: https://cdn.example.com/dist/css/main.a1b2c3d4.css

Output: Final URL: https://cdn.example.com/dist/css/main.a1b2c3d4.css HTTP 200 OK Time: 23 ms · Hops: 1 cache-control: public, max-age=31536000, immutable content-encoding: br content-length: 18432 content-type: text/css; charset=utf-8 etag: "a1b2c3d4-18432" last-modified: Thu, 01 May 2026 00:00:00 GMT vary: Accept-Encoding

URL with a redirect chain

Input: URL: http://www.example.com/old-page

Output: Final URL: https://example.com/new-page HTTP 200 OK Time: 312 ms · Hops: 3 content-type: text/html; charset=utf-8 location: (resolved after 3 hops: http → https, www → non-www, /old-page → /new-page) strict-transport-security: max-age=31536000

Tips

  • Check for the Strict-Transport-Security header and verify it includes max-age of at least 31536000 (one year) and preferably includeSubDomains and preload directives for full HSTS protection.
  • A Cache-Control: public, max-age=31536000, immutable header on hashed static assets (CSS, JS) confirms the CDN will serve them without revalidation for a full year. If you see no-cache or short max-age on these assets, your CDN configuration is likely incorrect.
  • The Server and X-Powered-By headers expose technology stack information. Many security hardening guides recommend removing or obfuscating these headers to avoid fingerprinting — if they appear, consider configuring your server to omit them.
  • After deploying a Content-Security-Policy, use this tool to verify the exact CSP string that reaches browsers. A missing semicolon or typo in a directive causes the entire policy to silently fail in some browsers.
  • Check the Vary header on CDN-served responses. Vary: Accept-Encoding is expected for compressed assets. Vary: Cookie or Vary: Authorization on public pages means every authenticated session gets a separate cache entry, which can degrade CDN efficiency significantly.

Frequently Asked Questions

Why can't my browser show these headers directly?
The browser's same-origin policy prevents JavaScript from reading response headers from cross-origin requests unless the server explicitly allows it via CORS headers. Even when CORS allows the request, many headers are filtered. This tool's server-side proxy makes the request from the backend and returns the full unfiltered header set.
What HTTP method does the tool use?
The backend attempts a HEAD request first, which retrieves headers without downloading the response body — faster and lighter. If the server returns no useful headers for HEAD (some servers behave this way), it falls back to a GET request and discards the body.
What security headers should I look for?
The OWASP Secure Headers Project recommends: Strict-Transport-Security (HSTS) to enforce HTTPS, Content-Security-Policy to restrict content sources, X-Content-Type-Options: nosniff to prevent MIME sniffing, X-Frame-Options or a frame-ancestors CSP directive to prevent clickjacking, and Referrer-Policy to control what referrer information is sent with outbound links.
What does the hop count mean?
Each HTTP redirect (3xx response) counts as one hop. A hop count of 1 means no redirects — the URL resolved directly. A count of 2 means one redirect occurred. Redirect chains with 3 or more hops add measurable latency and are worth consolidating. An HTTP-to-HTTPS redirect plus a www-to-non-www redirect is a common two-hop chain that can be reduced to one.
Can I check headers for internal or localhost URLs?
No. The backend enforces SSRF protection and blocks all private IP ranges (RFC1918), localhost (127.0.0.1, ::1), link-local addresses (169.254.x.x), and internal hostnames. Only publicly routable internet URLs can be checked.
Why does the response time vary between checks?
The measured time is the round-trip from the UtilityKit backend server to the target URL. It is affected by server location relative to the target, server load on both ends, network congestion, and CDN PoP assignment. For consistent comparisons, run multiple checks and look at the trend rather than a single value.
How do I check headers for a URL that requires authentication?
The tool makes unauthenticated requests. If the target URL returns a 401 or 302 redirect to a login page, the tool will show those headers rather than the protected resource's headers. For authenticated endpoints, use curl with --header 'Authorization: Bearer token' in your terminal where credentials can be passed securely.
What does a missing Content-Security-Policy header mean?
A missing CSP header means the browser applies no restrictions on what scripts, styles, frames, or other resources the page can load. This leaves the page vulnerable to cross-site scripting (XSS) attacks where injected scripts execute without restriction. Implementing a CSP is one of the highest-impact security header additions for any web application.

Explore the category

Website Status Checker Check whether any website or URL is up or down and see its HTTP response code, response time, and server headers. HTTP Request Builder Send HTTP requests from your browser via a server-side proxy — set method, headers, body, and inspect the full response. HTTP Status Lookup Search HTTP status codes and names with class-based filters and notes. Broken Link Checker Find broken and dead links on any webpage. Live status updates and CSV export included. JWT Decoder Decode and inspect JWT tokens DNS Lookup Tool Query public DNS records with SSRF-safe hostname validation
Understanding HTTP Headers: A Developer's Reference HTTP headers carry critical information about authentication, caching, content type, and security — yet many developers only interact with t Feb 2026 · 10 min HTTP Status Codes: The Complete Developer Reference Is that a 401 or a 403? A 404 or a 410? HTTP status codes have precise meanings that most developers only half-remember. Here is the definit Jan 2026 · 9 min How HTTP Caching Works: Cache-Control, ETags, and Browser Storage HTTP caching is one of the most powerful and most misunderstood web performance tools. Getting Cache-Control right can eliminate most of you May 2026 · 10 min

Glossary

HTTP Response Header
Metadata sent by the server alongside an HTTP response that instructs the browser and intermediate proxies on how to handle the content — including caching, security policies, content type, and encoding.
Strict-Transport-Security (HSTS)
A security header that instructs browsers to always use HTTPS for a domain for the specified max-age duration, even if the user types an HTTP URL. Prevents SSL-stripping attacks.
Content-Security-Policy (CSP)
A security header that specifies which sources of scripts, styles, images, and other resources the browser is allowed to load for a page. A well-configured CSP is the primary defense against cross-site scripting (XSS).
Cache-Control
An HTTP header that controls how and for how long responses are cached by browsers and CDNs. Common values include no-cache, no-store, public max-age=N, and immutable.
X-Content-Type-Options
A security header with value nosniff that prevents browsers from MIME-sniffing a response away from its declared Content-Type. Stops certain class of content injection attacks.
SSRF (Server-Side Request Forgery)
A vulnerability where an attacker tricks a server into making HTTP requests to internal resources. Header checker tools mitigate this by blocking private IP ranges and localhost before making any outbound request.